From owner-freebsd-security Thu Oct 22 15:01:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08512 for freebsd-security-outgoing; Thu, 22 Oct 1998 15:01:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08504 for ; Thu, 22 Oct 1998 15:01:19 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id KAA04958; Fri, 23 Oct 1998 10:59:49 +1300 (NZDT) Message-Id: <199810222159.KAA04958@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: "Eric J. Schwertfeger" , freebsd-security@FreeBSD.ORG Date: Fri, 23 Oct 1998 11:00:00 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: default rules in rc.firewall cause problem Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <199810222056.JAA23805@witch.xtra.co.nz> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Oct 98, at 14:06, Eric J. Schwertfeger wrote: > On Fri, 23 Oct 1998, Dan Langille wrote: > > > Hmmm, could your explanation be the cause of I'm seeing here? And would > > the modification to the rule make sense? > > Yes. > > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} out > > As long as that comes before the natd divert, it will keep any packets > resulting from the crack attempt from going back. Most DOS attacks don't > need to get their replies back, however. It's better than nothing, > though. For what it's worth, I moved the modified rule to be above the divert. It seems to work fine. As it did before, but as you say, better than nothing. Cheers. > > It will deny all out going packets but allow incoming packets, which are > > what natd is effectively doing. If I read /etc/rc.firewall correctly, > > there are other default rules higher up in the list which will prevent > > incoming packets pretending to be from 192.168.0.0/24. For example: > > The problem is, under -stable, when a packet going back into a > masqueraded connection goes into natd, it comes back out starting all over > at the first rule, and the firewall rules have no way of knowing that the > packet didn't really come from the outside world. This may be enough to push us onto -current. Will the fix be included with 2.2.8? Thanks. Your help has been appreciated. -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message